[slf4j-dev] Outdated log4j dependency
Florian Pöhr
florian.poehr at nomapo.com
Fri Jul 16 08:34:57 CEST 2021
Dear Slf4j team,
I noticed that when using Slf4j with log4j the dependency that gets
pulled by Slf4j is outdated (log4j-1.2.17.jar). Log4J 1.2.17 reached end
of life in 2015 (see http://logging.apache.org/log4j/1.2/download.html).
This leads to the following problems:
* Log4J 1.2.17 contains a security vulnerability (see
https://nvd.nist.gov/vuln/detail/CVE-2019-17571 )
* Log4J 1.2.17 contains a dirty bugfix that messes up the java module
system (see
https://stackoverflow.com/questions/60130941/resolutionexception-in-java-11
)
Therefore I wanted to ask: are there any plans to switch to a newer
Log4J 2.x version in the near future? I guess I am not the only one
having problems with this dependency.
Best regards,
Florian Poehr
More information about the slf4j-dev
mailing list